ChromeOS Vulnerability Reward Program Rules

The ChromeOS Vulnerability Reward Program (VRP) provides monetary awards and public recognition to the security researchers who invest their time and effort in helping us make ChromeOS devices and the entire ChromeOS project ecosystem more secure.

Scope of Program

Any security issue impacting the ChromeOS ecosystem may be reported to Google via this program.

To be considered for reward, security bugs must target Chromebooks or ChromeOS Flex devices on supported hardware running the latest available version of ChromeOS in our Stable, Beta, or Developer channels in verified mode.

A vulnerability is a bug that can be exploited by an attacker to impact the security of a ChromeOS device.

The following are not in scope for rewards:

  • Vulnerabilities in older releases available through our Long Term Stable (LTS) channel.
  • Vulnerabilities impacting ChromeOS on unsupported hardware or AUE devices.
  • Vulnerabilities that only manifest when the device is in Developer mode.
  • Security weaknesses that are not the result of bugs. We will treat those as feature requests, and assign a priority based on the security severity of the issue.

This program covers vulnerabilities in ChromeOS not covered by other reward programs at Google:

Qualifying Vulnerabilities

Vulnerabilities discovered in the entire ChromeOS stack, including but not limited to supported hardware, firmware, OS components (Google and non-Google developed), are considered eligible for reward if they put ChromeOS device users at risk.

We will typically focus on critical, high and medium security severity bugs. Existing mitigations may impact our assessment of the security severity of a bug. See Mitigated Bugs.

A few classes of security bug reports that generally do not qualify for a reward:

  • Bugs that cause a crash, unless it is a full denial of service and restart is not possible or the bug can be exploited remotely without user interaction.
  • Duplicate issues or issues we would have fixed without the report. Only the first report of a given issue that we were previously unaware of is eligible for reward. In the event of a duplicate submission, the earliest filed bug report in Issue Tracker is considered the first report.
  • Security bugs that are unreachable in ChromeOS. See Unreachable Bugs.
  • Bugs disclosed publicly or to a third-party for purposes other than fixing the bug. We encourage responsible disclosure, and believe disclosure is a two-way street. We will prioritize security bug fixes based on severity per our published SLOs.

Unreachable Bugs

It is important to note that ChromeOS is not a general purpose OS. It may appear that a piece of code is vulnerable, but further examination of the code paths that reach that code shows that they contain checks that would prevent the vulnerability.

For example, a function may appear vulnerable to out-of-bounds reads or writes because it's missing length checks, but if you find that all functions in ChromeOS already include those length checks, and there's no other way to call the vulnerable function, then that is not an exploitable security bug.

Similarly, a vulnerability in a non-default configuration that cannot be changed by a user would not be considered reachable.

If you're providing a report based on a code audit, without a PoC, please include enough information in the code audit to show that the code is reachable in a vulnerable way. That is, show that there's a code path that would be reached in normal operation where the parameters could be controlled by an attacker to trigger the vulnerability.

Unreachable bugs do not qualify for reward. Hardening patches may still qualify for Google Patch Rewards.

Mitigated Bugs

Mitigated security bugs are eligible for VRP rewards, but at a reduced reward amount unless you can demonstrate that the mitigations can be bypassed.

Highly and Substantially mitigated issues are typically going to be considered low security severity, and will not qualify for reward.

We may still reward a high-quality bug report bonus if your report demonstrates our mitigations are effective.

Qualified Exploit Chains

We provide an extra reward for a full exploit chain (typically multiple vulnerabilities chained together) that demonstrates arbitrary code execution, data exfiltration, or a lockscreen bypass.

The actual reward amount for exploit chains is at the discretion of the reward committee and depends on a number of factors, including (but not limited to) whether:

  • a buildable exploit exists
  • a detailed write-up describing how the exploit works was provided
  • the initial attack vector is remote, local network, or physical
  • whether the exploit is device- or build-specific,
  • whether it works across a broad set of builds and devices, the amount of user interaction required for the exploit to work
  • whether the user could feasibly detect that an exploit is in progress or has completed,
  • whether the exploit is reliable

Reward Amounts

We have a standing $500,000 reward for exploit chains that compromise a Chromebook or Chromebox with device persistence in guest mode (i.e. guest-to-guest persistence with interim reboot, delivered via a web page).

Rewards for qualifying security bugs are per the table below. For the maximum reward, please ensure you submit a high-quality report.

We will reward an additional $100,000 reward for a qualified exploit chain.

Security Severity Rewards Patch Bonus
Critical $5,000, up to $30,000 Up to $10,000
High $2,000, up to $15,000 Up to $2,000
Medium $500, up to $1,000 Up to $500

As we verify fixed bugs or review bugs for reward, we may reassess the security severity of a bug. It’s possible that we may realize that the bug is unreachable, low severity, substantially mitigated, etc. and doesn’t qualify for a reward.

We may choose to reward $250 for any report at any severity level that the panel believes has helped us improve the overall security posture of ChromeOS and the ChromeOS ecosystem.

All reward amounts are at the sole discretion of the panel.

We may occasionally offer additional reward bonuses for certain kinds of bugs. To learn about potential reward opportunities, see Google Bughunters News.

Report Guidelines

All bugs should be reported using the vulnerability form (report to ChromeOS VRP). If you are submitting a patch, please attach the files (individually, not in a zip file) to the bug report. You can also attach a buildable POC/exploit.

Please note that a bug with any potential exploit will be made public 14 weeks after the fix has been released.

High Quality Reports

We will look for the following in determining whether your report is high quality:

  • An accurate and detailed description of the issue including the device name and version, any flags that must be enabled for the issue to be exploitable, and a plausible scenario under which an attacker can reach this bug to exploit the bug in a default ChromeOS configuration with all applicable mitigations in place.
  • A full root cause analysis describing why the issue is occurring and what ChromeOS source code should be patched to fix it.
  • A bisect or link to a commit that introduced the issue to help us pinpoint the issue quickly.
  • A proof-of-concept that effectively, quickly, and easily demonstrates the vulnerability with any applicable reproduction output (e.g., video recording, debugger output, etc.). The proof of concept must demonstrate that the bug is reachable by an attacker and that any existing mitigations can be bypassed.
  • A step-by-step explanation on how to reproduce the vulnerability.
  • If applicable, provide fast responses to questions from security testers in no more than one week, and include all requested information.

Patches and POCs/exploits should be submitted with the bug report or shortly afterwards. Patches submitted after a fix has been developed may not be eligible for rewards.

Frequently Asked Questions

Q: How will vulnerabilities be disclosed?

A: We will acknowledge vulnerabilities (unless requested otherwise) in the ChromeOS Release Notes. We will disclose vulnerabilities by making the bug public 14 weeks after the fix was released.

Q: When will I receive payment for my reward?

A: You will be able to see any panel reward decisions in a field on the bug created for your report. Reward information is sent for processing once a reward decision has been made. Note that in some cases, we may pay out rewards before the bug fix has been released or the bug details made public. If you disclose the bug after receiving the reward, without giving us heads up and a reasonable deadline to release the bug fix and make the bug public, you may not be eligible for future rewards.

Q: Will a CVE ID be assigned?

A: We will typically assign a CVE to Critical, High, and Medium severity security bugs we fix in ChromeOS.

Q: Do I still qualify if I discuss the vulnerability publicly once fixed?

A: Yes, we would ask that you only discuss the vulnerability publicly after the bug has been made public. If you want to discuss sooner, please let us know so we can coordinate.

Q: Can you keep my identity confidential from the rest of the world?

A: Yes. If selected as the recipient of a reward, and you accept, we need your contact details in order to pay you. However, at your discretion and if you ask us before the bug is made public, we can credit the bug to "anonymous" and remove identifying information from the patch and bug entry. Your full email address will also be obfuscated in Issue Tracker.

Q: Can I submit my report without having to create a Google account?

A: We would strongly prefer that report submissions take place through the vulnerability form. However, security issues can be sent directly to chromeos-security(-at-)chromium(-dot-)org (although submissions through this channel will typically not be eligible for reward payouts).

Q: What if I disagree with the assessment or the reward amount?

All reward amounts are at the sole discretion of the panel, but we are human and sometimes we make mistakes. If you feel a bug was not rewarded correctly, please send an email to chromeos-security(-at-)chromium(-dot-)org with the bug number and let us know why you think we need to take another look.

Q: What if I would like to donate my reward to charity?

We understand that some of you are not interested in money. We offer the option to donate your reward to a charity registered with our giving partner. If you do so, we will double your donation – subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.

We are unable to receive reports and/or issue rewards to individuals or entities that are on sanctions lists, or who are in territories subject to sanctions (e.g., Cuba, Iran, North Korea, Syria, Crimea, and the so-called Donetsk People's Republic and Luhansk People's Republic). Additionally, due to administrative difficulties, we no longer issue rewards to individuals or entities located in Russia.

You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Your testing must not violate any law, or disrupt or compromise any data that is not your own.

To avoid potential conflicts of interest, we will not grant rewards to people employed by Google or Google Partner companies who develop code for ChromeOS and/or devices covered by this program.